Wiping devices
When a device is lost, stolen, or assigned to a new user, you may want to wipe the device to remove any personal or sensitive information.
There are two methods for wiping a device, depending on whether the device is enrolled or only discovered through the Exchange server.
•Enrolled devices are wiped through the MDM inventory tool.
•Discovered devices are wiped through the EAS server.
There are three wipe options for managed devices:
•Selective wipe. Removes all the agent settings on the device. For example, a selective wipe would remove app restrictions or Wi-Fi passwords. It does not uninstall the Ivanti agent.
•Selective wipe and delete. Removes the agent settings and also deletes the device from the Management Console inventory.
•Factory reset. On macOS devices, the device is completely wiped and nothing remains, including the OS, and a PIN is required to unlock the device. On Windows 10/11 PCs, the device is reset to factory settings. This option removes the Ivanti agent from devices.
Apple devices have an additional factory reset security feature called activation lock. This prevents users from resetting and reselling company owned devices. For more information, see Activation lock (Apple).
When you send a wipe command, it is sent through the device's configured notification service. The command is sent immediately and cannot be canceled.
If the device is unreachable when the command is sent, the notification service caches the command temporarily. If the device comes online again while the command is cached, the command is delivered to the device and it is wiped. If the device does not come online within 24 hours, the wipe command is not delivered.
NOTE: If a mobile device has both the MDM and Agent applications installed, wiping a device using the Modern Device Management still removes the Ivanti profile.
To execute the wipe command
1.Find the device in the Network view.
2.Right-click it and click Wipe. Then select the type of wipe you want to perform.
3.You are prompted to proceed with the command.
On macOS devices, the Wipe > Factory reset command asks you to create a 6-digit PIN that will remotely lock the selected macOS device. After the reset, the device is locked with that PIN. If the correct PIN isn't entered, the device remains locked and is unusable. This can be useful for devices that are lost or stolen.
Devices that have been factory reset no longer appear in the Network view, but you can use the Client data storage tool to recover the PIN used to reset them.
To recover a factory reset PIN
- Click Tools > Configuration > Client data storage.
- In the Devices tree, double-click the device you want.
- In the Client data dialog box, select the Erase Device PIN item, and click the export toolbar button.
- Select a location for the resulting text file.
- Open the text file in an editor and view the recovered PIN.
On a Microsoft Exchange server, the wipe is associated with both the user and the device. Once the wipe command is sent to the server, the device's status in Modern Device Management is set to "Wipe pending". The next time the device attempts to log in, the wipe command will execute and the device will be wiped immediately. Because the wipe does not actually occur until the next time the device logs in, the wipe command can be canceled at any time prior to the device check in.
To execute the wipe command
1.Find the device in the Network view.
2.Right-click it and click EAS Wipe.
3.You are prompted to proceed with the command.
When the device is wiped, it is also removed from the inventory.
To cancel a wipe command
•To cancel a wipe command (only available for devices being wiped through EAS), right-click on the device and select Cancel wipe.